- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Mon, 11 Apr 2011 11:19:07 -0700
- To: Collin Jackson <collin.jackson@sv.cmu.edu>
- CC: Adam Barth <w3c@adambarth.com>, Bil Corry <bil@corry.biz>, gaz Heyes <gazheyes@gmail.com>, Daniel Veditz <dveditz@mozilla.com>, public-web-security@w3.org
On 4/7/11 9:17 AM, Collin Jackson wrote: > I'd like to suggest option 3, which is to block inline styles by default > only if a style-src directive is present (authors can use style-src > 'inline' if they want to use style-src with inline styles). > > I believe the common case for CSP is that authors will not use > style-src, so they will be able to use inline styles normally without > any special directives. If they do indicate that they're interested in > style security by using style-src, they'll get the most secure behavior > by default until they specify otherwise. > > Attaching default blocking behaviors to specific directives rather than > to the entirety of CSP makes the spec more extensible and allows us to > support a variety of use cases while still keeping policies simple. > > Collin I think this is the best solution offered so far. If there are no objections, I'll make this change to the spec draft as well. I have 10 items marked for follow-up that I'm hoping to address with changesets this week. That's in addition to the detailed editorial feedback JeffH provided, which I'll also be looking to address in the next week or three. I'll reply to relevant posts on the list as I push the changes. Thanks, Brandon
Received on Monday, 11 April 2011 18:19:39 UTC